can't get this work man..... I put this function and the get_num function in the exploit and set a variable $get_prefix. Before even validating the user ID i make if() check if $get_prefix is TRUE. If so I call get_prefix function and the outcome is always the same - Wrong prefix.... It happens when get_prefix calls test_condition and I can't understand how to get that working.....

thanks what's so different in your version of the exploit? if it's not a secret of course

Posted: Tue Jan 19, 2010 5:58 pm

waraxe

Site admin

Joined: May 11, 2004

Posts: 2407

Location: Estonia, Tartu

AIR_Nayden wrote:

thanks what's so different in your version of the exploit? if it's not a secret of course

It contains more functionality. For example admin_login_logs table contains interesting information, which allows effective use of mask attack against password hashes
And it does check FILE privileges for current sql user.

Posted: Tue Jan 19, 2010 6:12 pm

AIR_Nayden

Advanced user

Joined: Dec 30, 2009

Posts: 70

Location: Bulgaria

interesting what is this mask attack used for? and btw: I found a vulnerable forum with a different table prefix. The URL check is passed but when it gets to sql prefix finding it results in sql error(wrong prefix...). Why is that so? I'm pretty sure the mysql server there is 5+

Posted: Tue Jan 19, 2010 6:20 pm

waraxe

Site admin

Joined: May 11, 2004

Posts: 2407

Location: Estonia, Tartu

AIR_Nayden wrote:

interesting what is this mask attack used for? and btw: I found a vulnerable forum with a different table prefix. The URL check is passed but when it gets to sql prefix finding it results in sql error(wrong prefix...). Why is that so? I'm pretty sure the mysql server there is 5+

Probably version < 5.x ...
You can try TCP port 3306 and if it's open, then it may reveal MySql daemon version.
In my exploit there is special function for mitigating such problem:

Mask attack ... , well, admin_login_logs gives hint about plaintext password in form as "******a". So password length will be known and last character too.
PasswordsPro password cracking utility offers mask attack option, so if you know that last char is "a" and before that is 6 other chars, then cracking performance is maximised.

Posted: Tue Jan 19, 2010 6:37 pm

AIR_Nayden

Advanced user

Joined: Dec 30, 2009

Posts: 70

Location: Bulgaria

that is very usefull.... maybe I should get down to work and write these functions for me as well

Strange.... this test sql version function also gives me SQL prefix error on the board with the changed prefix and it returns 1 in board with ibf_ prefix....

Posted: Tue Jan 19, 2010 7:54 pm

waraxe

Site admin

Joined: May 11, 2004

Posts: 2407

Location: Estonia, Tartu

AIR_Nayden wrote:

that is very usefull.... maybe I should get down to work and write these functions for me as well

Strange.... this test sql version function also gives me SQL prefix error on the board with the changed prefix and it returns 1 in board with ibf_ prefix....

Without seeing sql errors log it's hard to guess the reason.
Still I suggest to change "-- " comments to "%2523":

All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.165 Seconds